On Thu, Dec 04, 2014 at 03:56:53AM -0500, Laine Stump wrote:
On 12/03/2014 12:02 PM, Daniel P. Berrange wrote:
On Tue, Dec 02, 2014 at 12:08:30PM -0500, Laine Stump wrote:
(Everyone - see the request for opinions/ideas towards the bottom)
The idea behind these patches is the following:
1) most virtual machines only have a single MAC address behind each interface, and that MAC address is known by libvirt.
2) If we (i.e. libvirt) manually add an entry to the bridge's forwarding database (fdb) for the MAC address associated with a port on the bridge, we can turn off learning and unicast_flooding for that port.
3) kernels starting with 3.15 (and actually working correctly starting in kernel 3.17) will notice that all of a bridge's ports have flood and learning turned off, and in that case will turn off promiscuous mode on all ports. If all but one of the ports have flood/learning turned off, then promiscuous will be turned off on that port (and left on for all the other ports)
4) When (4) can be done, there is a measurable performance advantage. It can also *kind of* help security, as it will prevent a guest from doing anything useful if it changes its MAC address (but won't prevent the guest from *sending* packets with a spoofed MAC address).
NB: These only work with a fixed MAC address, and no vlan tags set in the guest. Support for both of those will be coming. So just to be clear on the functional differences between the impls
With the current impl
1. The bridge has a table mapping MAC <-> TAP devices which is initially empty 2. Whenever a TAP device sends a packet, it causes an entry to be added to the MAC <-> TAP table 3. When the bridge needs to forward a packet with a MAC - If MAC is unknown, it is sent to all TAP devices - Else it is send to the specific TAP device 4. The physical device is always promiscuous to see all traffic on the LAN
An result of point 2, is that if the guest changes its MAC address on the fly, it merely needs to send a packet and the bridge will learn its new MAC address. That said our firewall rules can potentially block this dynamic change.
With the new impl
1. The bridge has a table mapping MAC <-> TAP devices which is initially empty 2. Libvirt tells the bridge what MAC address is associated with each TAP device added 3. The bridge always forwards the packets to the correct TAP device 4. The physical device is never promiscuous, it is programmed with MACs of all TAP devices
In both cases the guest can send packets with spoofed MAC addresses. In the old code these packets would make it onto the LAN and it can receive replies back. In the new code these packets would make it onto the LAN but it will never receive replies back.
At a high level the conceptual difference is whether the table of MAC addresses & TAP devices is statically defined by libvirt or dynamically defined on the fly.
HERE IS THE REQUEST FOR OPINIONS/IDEAS:
This V2 of the patchset addresses several issues brought up by jferlan on the original series, and changes the name of the attribute from:
promiscLinks='yes|no'
to
fdb='learningWithFlood|managed'
I'm somewhat more happy with this new naming than the previous but still looking for better ideas. It is closer to describing what the new code really does, but "learningWithFlood" seems a bit long and awkward, while I have been told that "fdb" is too short and unrecognizeable (I will point out that 1) "fdb" is the same name used by iproute2's "bridge" command, and 2) another bridge option, "stp" is also a three letter acronym that will only be recognized by those familiar with configuring an L2 bridge device or watching NASCAR on Saturday afternoons (or whenever it's on - not a fan myself :-)) One thing to remember is that libvirt is supposed to be providing a higher level configuration language that is independant of specific implementations. 'fdb' is terminology specific to the Linux bridge implementation, so I don't think that's appropriate to use in the XML configuration.
Good point. I'd been seeing this as a generic term, but I guess it isn't.
There is a user visible change in behaviour because this new solution, as implemented in this patch series, will no longer allow a guest to change its MAC address on the fly.
Of course if QEMU can provide a notification to libvirt when the guest changes its MAC address, then libvirt can update the MAC table and so re-gain functional equivalance with the old solution. I think we would want to be able to turn that on or off though.
For macvtap interfaces, we can already do that using trustGuestRxFilters='yes' (a name I don't really like in a location I don't really like (attribute of toplevel <interface> element), but couldn't come up with anything better and didn't get any other suggestions at the time). This has been in libvirt since last month's release. My thought was that if trustGuestRxFilters is yes and the interface is on a bridge, we can then honor any changes to mac address.
(This is where my dislike of my own choice for name of that option comes in - I can now see a need to allow the guest to change its vlan table or multicast table and honor those changes, while not allowing it to change its MAC address, or vice versa; it probably would have been better to add a new element called <rxFilter> or something, and have a separate attribute for trusting each piece. It has now been in one release, though, so I guess we're stuck with it.)
This all leads me to suggest that we should use the following syntax that is indepedant of the particular implementation choice, and instead represents the logical behaviour of the feature.
macTable=static|dynamic
The mode of 'static' means that the MAC address table will always match MACs recorded in libvirt guest XML. This is the new mode that your patches implement
The mode of 'dynamic' means that the MAC address table will be able to dynamically update itself as the guest changes MAC addresses. In the near term, this will use the traditional bridge learning mode. In the long term, if we can get MAC change notifications from QEMU, we can switch this over to use the new bridge features.
I do think that eventually libvirt should make self-management of the mac table the default, but even then I think we need to retain the ability to disable it and let the kernel do as it may, just in case there are compatibility problems if for no other reason.
Also, I think that enabling/disabling guest-initiated MAC address changes should be possible at the per-interface level, not (just) per-network. This can be done with the above-mentioned trustGuestRxFilters attribute (which can be set in a single interface, or for a network or network portgroup).
So I like naming the attribute "macTable", as that is more generic, but I'm not sure about the values "static" and "dynamic", because "dynamic" could describe two different things (dynamically changed by the kernel via learning and flood, or dynamically changed via libvirt being an omniscient hypervisor god that knows what to plug into the table), and "static" is something that can already be described via setting trustGuestRxFilters='no' combined with a "let libvirt control the mac table" option.
Maybe the problem is that you're providing a good name based entirely on the differences in behavior the guests can see, but what I'm looking for is a way to control how that behavior is provided, so more of a backend thing. (Note that if the "backend" is the bridge module, "static" isn't possible now and never will be, while if the backend is explicit management by libvirt, then "dynamic" isn't currently available, but will be in the future).
So perhaps more along the lines of macTableManager="kernel|libvirt" Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|